MQSeries.net :: View topic

ydsk · Posted: Tue Jan 24, 2006 2:56 pm Post subject:

An update on the issue:

If the domain id is ABC\xyz, the syntax to create an ACL (giving full access to the domain user-id )on a AIX-Configmgr ( CONFGMGR) is:

mqsicreateaclentry CONFGMGR -u ABC\\xyz -a -x F -p

But interestingly, the following command with the -m flag also does the same job exactly:

mqsicreateaclentry CONFGMGR -u xyz -m ABC -x F -p

The above can be verified by issuing an mqsilistaclentry OR by accessing the configmgr with the id from a toolkit.

Not sure why the -m flag ( which is actually meant for machine name alone as per documentation ) is unable to distinguish between a machine name and a domain name.

This is a security hole....any user can change his machine name to a valid domain-name and just create an id that has permissions on the configmgr, and access the configmgr.

Thanks.
ydsk.